CodeSys Control for Raspberry Pi 64 SL

1. Tutorial Goals

By the end of this hands-on tutorial, you will be able to:

  • Understand the CODESYS Control for Raspberry Pi 64 SL runtime architecture
  • Interpret certificate-related status messages:
    • CmpWebServer → no valid certificate
    • CmpOPCUAServer → no valid certificate
    • CmpSecureChannel → valid certificate
  • Use the runtime command shell effectively
  • Generate and manage certificates using cert-* commands
  • Enable secure communication for:
    • Web Server (HTTPS)
    • OPC UA Server (Secure Endpoint)

This tutorial is written as a practical lab, not just theory.

2. Prerequisites

Hardware

  • Raspberry Pi (64-bit capable)
  • Ethernet or Wi-Fi connectivity

Software

  • Raspberry Pi OS 64-bit
  • CODESYS Control for Raspberry Pi 64 SL installed and running
  • CODESYS Development System (on PC)
  • SSH access or local terminal access to the Raspberry Pi

Assumptions

  • The runtime is already started
  • You can access the CODESYS Runtime Shell (via SSH or local terminal)

3. Understanding the Runtime Components

Before touching certificates, it is important to understand who uses them.

3.1 Key Runtime Components

ComponentPurposeCertificate Required
CmpSecureChannelSecure communication with CODESYS IDE✅ Yes
CmpWebServerWeb visualization & device web pages✅ Yes (HTTPS)
CmpOPCUAServerOPC UA secure communication✅ Yes

3.2 Your Current Status

Web Server (CmpWebServer): CertAvailable = FALSE

OPC UA Server (CmpOPCUAServer): CertAvailable = FALSE

Secure Channel (CmpSecureChannel): CertAvailable = TRUE

✅ This means:

  • You can connect from the IDE (secure channel works)
  • You cannot use HTTPS web server securely
  • You cannot use OPC UA security modes yet

This is a normal fresh-install situation.

4. Accessing the Runtime Command Shell

Log into your Raspberry Pi:

ssh pi@<raspberry_pi_ip>

Then enter the CODESYS runtime shell (usually automatic, or via the service environment).

Test communication:

?

Expected output (similar to yours):

getcmdlist

mem

reflect

applist

5. Exploring the Command List

Run:

getcmdlist

5.1 Important Command Groups

Runtime / System

  • rtsinfo
  • cpuload
  • gettasks
  • getmulticoreinfo

Application Control

  • applist
  • startprg
  • stopprg
  • resetprg
  • resetprgcold

Networking

  • setinterfaceipdynamic
  • getinterfaceipdynamic

Logging

  • logsetfilter
  • loggetfilter

Security & Certificates

  • cert-getapplist
  • cert-genselfsigned
  • cert-getcertlist
  • cert-createcsr
  • cert-import
  • cert-export
  • cert-remove
  • showsecuritysettings

We will now focus on certificates.

6. Inspect Current Security State

Run:

showsecuritysettings

This shows:

  • Which components expect certificates
  • Which ones already have valid certificates

Typical result (simplified):

  • Secure Channel → OK
  • Web Server → Missing certificate
  • OPC UA Server → Missing certificate

7. Listing Existing Certificates

Run:

cert-getcertlist

Expected outcome:

  • One certificate used by CmpSecureChannel
  • No certificates for Web Server or OPC UA

This confirms the initial diagnosis.

8. Generating a Self-Signed Certificate (Hands-on)

8.1 Why Self-Signed?

For development, testing, and internal networks, self-signed certificates are perfectly fine.

Later, you can replace them with CA-signed certificates.

8.2 Generate a Self-Signed Certificate

Run:

cert-genselfsigned

You may be prompted for:

  • Common Name (CN) → e.g. codesys-rpi
  • Organization → optional
  • Validity period

✅ This creates:

  • A private key
  • A certificate stored in the CODESYS certificate store

9. Verifying Certificate Creation

Run again:

cert-getcertlist

You should now see additional certificates.

Also check:

showsecuritysettings

Some components may still show CertAvailable = FALSE until restart.

10. Restarting Runtime Components

Reload runtime configuration:

reload

Or, if needed:

resetprgcold

⚠️ This stops running applications.

After reload, check again:

showsecuritysettings

Expected result:

  • Web Server → CertAvailable = TRUE
  • OPC UA Server → CertAvailable = TRUE

11. Enabling HTTPS Web Server (Validation)

  1. Open a browser
  2. Navigate to:
https://

You will see a browser warning (self-signed certificate).

✅ This is expected.

Proceed anyway to confirm:

  • HTTPS works
  • Web server is now secured

12. OPC UA Server Certificate Validation

12.1 In CODESYS IDE

  1. Add an OPC UA Server configuration
  2. Enable Sign & Encrypt security policy
  3. Download configuration to the Raspberry Pi

12.2 Trust Exchange

  • Export the server certificate:

cert-export

  • Import it into your OPC UA client trust store

Now OPC UA secure sessions should connect successfully.

13. Useful Runtime Monitoring Commands

CPU Load

cpuload

Task Information

gettasks

Active Sessions

sessinfo-list

Real-Time Clock

rtc-get

14. Common Troubleshooting

Web Server Still Not Secure

  • Run cert-getcertlist
  • Ensure reload was executed
  • Check showsecuritysettings

OPC UA Still Fails

  • Confirm certificate trust on the client side
  • Ensure security policy is not set to None

Certificate Cleanup

Remove unused certificates:

cert-remove

15. What You Learned

✔ Runtime command shell navigation ✔ Certificate lifecycle in CODESYS ✔ Securing Web Server and OPC UA ✔ Practical use of cert-* commands ✔ Understanding Secure Channel vs services

16. Next Practice Ideas

  • Replace self-signed cert with CA-signed cert
  • Enable OPC UA user authentication
  • Automate certificate deployment
  • Combine with firewall rules on Raspberry Pi

Our Expert Engineer could be contacted globally anytime.